Technical white paper
HP Secure Print
Learn about the architecture, policies, and safeguards that help keep
your information secure when using HP Secure Print
1
Table of contents
Introduction .....................................................................................................................................................................................2
Business challenges ..................................................................................................................................................................2
The cloud print revolution ........................................................................................................................................................2
A flexible, scalable solution .....................................................................................................................................................3
Cloud Connector option ................................................................................................................................................................5
Network configurations ............................................................................................................................................................5
Local Connector option .................................................................................................................................................................9
Network configuration ..............................................................................................................................................................9
QR Code option ............................................................................................................................................................................ 12
Network configuration ........................................................................................................................................................... 12
Secure print workflow ................................................................................................................................................................ 13
Document storage .................................................................................................................................................................. 13
Document submission ........................................................................................................................................................... 13
Document release ................................................................................................................................................................... 14
Authentication options........................................................................................................................................................... 15
Data protection ............................................................................................................................................................................ 16
Data control .............................................................................................................................................................................. 17
Document encryption............................................................................................................................................................. 17
Security is a shared responsibility ....................................................................................................................................... 18
Customer readiness .................................................................................................................................................................... 18
Platform communication ...................................................................................................................................................... 18
Cloud API endpoints................................................................................................................................................................ 18
Network ports and protocols ............................................................................................................................................... 19
Deployment requirements .................................................................................................................................................... 22
Network utilization ...................................................................................................................................................................... 25
Print Scout ................................................................................................................................................................................ 25
Device Scout ............................................................................................................................................................................. 26
Internet traffic .......................................................................................................................................................................... 28
Technical white paper | HP Secure Print
2
Introduction
With HP Secure Print, you can easily establish secure printing workflows across your organization without the hassle of
setting up and maintaining print servers and queues. The solution runs on a true cloud (cloud-native) platform built on
Amazon Web Services (AWS).
HP Secure Print creates secure print workflows by forcing user authentication at printers and multifunction printers (MFPs).
Employees quickly authenticate themselves at a chosen printer by using their mobile device, their ID badge (proximity card),
or by entering their email and PIN or user ID and password into the printer’s control panel. Documents are then released
only to the document owner, which protects confidentiality.
Because employees must be physically present at a printer to authenticate and collect their document, the solution
practically eliminates the problem of abandoned printsdocuments that are left in printer trays or tossed into recycle bins.
This saves money and prevents waste. This workflow also improves convenience: employees can submit their print jobs
from any location, even outside the company network, and then release their documents at any secure printer on the
network.
When used along with HP Insights, the solution creates secure and flexible printing workflows and provides the data insights
you need to continually optimize your print environment and keep your organization’s costs down year after year.
Business challenges
Our research into business challenges has revealed three broad themes:
1. Businesses need to transition employee printing into their cloud ecosystem. Company leaders consistently report that
their cloud migration strategy is critical to their business and that print needs to be part of the strategy.
2. Many businesses must meet strict compliance and security requirements. These companies are seeking services that
meet or exceed their current data compliance and security mandates. Comprehensive data protection and privacy
regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require
the appropriate safeguards.
3. Printing should be a simple, intuitive experience for employees. How people work has evolved. Employees frequently
work outside the office, on their own devices, and at all hours of the day and night. Print is a utility that must be
available and simple to use whenever it’s needed.
HP Secure Print helps solve these business challenges while also improving information security, reducing print
infrastructure, and controlling output costs.
The cloud print revolution
Companies are rapidly moving away from a local network infrastructure and toward specialized cloud services. They are
decommissioning their data centers, eliminating servers, and relying on service providers to manage their infrastructure and
workflows.
Gartner Group predicts that cloud services will grow atnearly three times the growth of all other IT services over the next
three years.
2
In their 2019 Technology Forecast, Gartner says, We know of no vendor or service provider today whose
business model offerings and revenue growth are not influenced by the increasing adoption ofcloud-first strategiesin
organizations.
2
Print has emerged as one of the most critical systems for companies to shift to the cloud, for several reasons, including:
1. The elimination of print servers delivers a significant and immediate positive ROI. Each server eliminated represents
hard savings. Using Microsoft® Total Cost of Ownership (TCO) calculator, a typical enterprise print server costs around
$7,500 annually to license and manage.
2. Cloud-based printing improves flexibility and scalability. Companies want services that seamlessly grow with their
business. They want to avoid the costs and hassle of server planning, setup, and maintenance.
3. Cloud printing is fast and easy to deploy. With no server deployments to plan and manage, solution designs are
simplified, and consulting services are scaled back.
4. The solution is always up to date. IT managers don’t have to worry about what product version they are running.
Automatic cloud updates ensure that the organization always has the latest features and improvements.
Technical white paper | HP Secure Print
3
5. Companies can improve their information security and reduce their risk. Increasingly, companies are moving IT burdens
from in-house services to specialized cloud service providers to shift their risk to companies that are better equipped to
manage that risk. Print is no different. Companies like Amazon, Google
TM
, and Microsoft provide world-class cloud
platforms that are proven to be more secure than conventional corporate networks that rely on perimeter security
measures.
A flexible, scalable solution
Every organization is likely to have a different set of requirements to fit their network topology, leverage their preferred
identify provider, and establish how print jobs should be stored and delivered. HP Secure Print provides several
configuration options to fit practically any corporate environment and use case. The choice of these settings will either
expand or contract the available feature set of the solution.
These configurations can be used alone or in combination. In this document, we describe these configurations as:
The “Cloud Connector” option, for Zero Trust networks or for conventional networks with local or cloud storage. See
details on page 5.
The “Local Connector” option, which provides multivendor integrated printer support and also supports Active Directory
(AD) as the authentication provider. It requires the use of a Device Scout in your network to secure your printers. See
details on page 9.
The “QR Code” option, which enables mobile release as an authentication option for releasing secure print jobs. Any
PCL6-compliant network printer can be enabled for mobile release. See details on page 12.
Sample use cases
HP Secure Print is designed to be flexible. Below are a few examples of how it might be deployed.
Conventional networks with cloud job storage
Many companies wanting to take advantage of the benefits of cloud services for their secure printing will have conventional
networks in place. These networks focus on perimeter security and allow some level of trust and access to peers on the
network.
In this environment, the company network provides workstations and printers access to internet-based resources and it
trusts devices within the network to communicate. Print jobs can be stored in the cloud and pulled (downloaded) by the
cloud-aware HP printer. Or print jobs can be stored in the cloud and pushed to the printer when using QR code mobile
release. See page 12 for more information.
Figure 1: The HP Secure Print workflow for conventional networks with cloud job storage
HP Secure Print
Cloud release
(true pull print)
Workstation
Print Scout
HP printer
Scout release
(push print)
Technical white paper | HP Secure Print
4
Conventional networks with local job storage
Organizations that do not allow print job data to be stored in the cloud due to security or export restrictions will need their
print solution configured for local storage only. In this configuration, the network provides workstations and printers access
to internet-based resources and there’s a level of trust and access (line-of-sight) between peers on the network.
Because of these limitations regarding the handling and storage of data, print jobs are stored on-premises and must be
pushed to the printer upon successful user authentication. When using the Local Connector configuration or the QR Code
option, print jobs are released by the Print Scout and pushed to the printer.
Figure 2: The HP Secure Print workflow for conventional networks with local job storage
Zero Trust networks
Large global enterprises are beginning to adopt internet-only networks that do not allow any lateral communication
between peers on the network. This growing trend is in response to increasingly sophisticated attacks and the trend away
from centralized data centers and on-site network infrastructures.
These networks provide no way for devices on the network to see each other, let alone communicate. For this reason, these
networks are called “Zero Trust networks.” User workstations and printers are given access to internet-based resources but
provide zero trust or access to peers on the network. Every device has only its individual connection to the internet.
The cloud becomes the “broker” which handles the movement of data from workstation to printer. Print jobs stored in the
cloud must be pulled (downloaded) from the cloud. Print jobs cannot be stored on the user workstation because the
workstation cannot access the printer directly.
Figure 3: The HP Secure Print workflow for Zero Trust networks
HP Secure Print
Workstation
Print Scout
HP printer
Scout release
(push print)
HP Secure Print
(true pull print)
Workstation
Print Scout
Cloud-aware
HP printer
Technical white paper | HP Secure Print
5
Cloud Connector option
The HP Secure Print system works with the printers and MFPs deployed across your organization. When deployed with the
Cloud Connector option, the system requires only one software component, the Print Scout. The HP Secure Print mobile app
is an optional component. See page 12 for more information.
Network configurations
HP Secure Print supports any type of corporate network, including conventional networks behind a firewall, minimal
infrastructure environments that seek to avoid the use of print servers, and Zero Trust (internet-only) networks.
The HP Secure Print Cloud Connector delivers true cloud secure printing workflows that do not require any print servers or
other onsite server infrastructure components. It supports two types of configurations:
Zero Server is for organizations with a conventional corporate network who want to take full advantage of the features
and benefits of a true cloud solution. In this configuration, you can enable cloud storage or local storage of print jobs.
Zero Trust is for organizations that do not have a conventional network infrastructure and want a true cloud solution to
enable secure printing capability to employees within an internet-only, or Zero Trust, environment.
Both configurations establish a simple and efficient secure printing environment that can be distilled down to “print, park,
pull.”
Figure 4: The true cloud secure printing workflow: Print, park, pull
Benefits of the Cloud Connector
The Cloud Connector enables companies to take full advantage of the cloud and its many benefits: deep savings in terms of
costs and resources, improvements in efficiency and scalability, and the immediate ROI from the elimination of print,
application, and database servers.
No servers are needed to enable secure printing workflows on integrated HP true cloud printers. Existing customers can
easily migrate from using the local connector and can decommission their Device Scout server.
The HP Secure Print Cloud is a multi-tenant platform built on AWS. It offers high availability, elasticity, and scalability. There
is no single point of failure in the system and it can be scaled up to accommodate increased workloads by provisioning
resources incrementally. Its elasticity enables the solution to add or reduce services to optimally manage dynamic
workloadsall handled automatically by AWS.
The HP Secure Print Cloud is designed to expand or contract capacity as needed. It can support organizations with 10
devices or 10,000 devices. It can also support organizations that expand from 500 devices to 5,000 devices. In other words,
you will never need to worry about how many printers a server can support or when to add another server to the solution.
Serverless (Zero Server) configuration
There’s a growing trend among companies of all sizes to eliminate print servers and reduce IT maintenance tasks in favor of
specialized cloud services. The serverless configuration, or “Zero Server” option, provides true cloud print management for
companies that do not allow or want print servers within their corporate network and that wish to take full advantage of the
features and benefits of a true cloud solution.
Park
Documents are transferred and
stored securely in the cloud
Pull
Users authenticate and retrieve
documents from the cloud
Print
Users print documents from
Windows
®, macOS, Linux®, Android
TM
,
and iOS
Technical white paper | HP Secure Print
6
This configuration supports conventional networks by using a combination of cloud storage and the employee workstation
to “park” jobs until the user is ready to authenticate at a secured device to release (print) the document.
Figure 5: The serverless (Zero Server) configuration
Figure 5 shows how the serverless configuration works in a conventional corporate network.
1. Employees print as they normally do, from whatever application they may be using.
2. Depending on the configuration, the print job is parked either in the cloud or on the user workstation, awaiting secure
release.
If you have cloud storage enabled, the print job is uploaded and stored securely in the cloud. A TLS v1.2 connection
is used for data in transit and AES-256 job encryption is used for data at rest.
If you have export restrictions or other data policies that restrict cloud storage, the print job is parked by the Print
Scout directly on the workstation. AES-256 job encryption is used for data at rest.
3. Employees can now walk up to any secured printer to authenticate and release (pull) their documents.
If cloud storage is enabled, the cloud-aware printer requests the cloud-stored job and the documents are either
printed immediately or the user is presented with a list of jobs to review, select, and print. This is true pull printing
because the printer makes the request and downloads the document from the cloud.
If cloud storage is not enabled, the Print Scout on the workstation pushes the job to the printer upon successful
authentication, and the documents are either printed immediately or the user is presented with a list of jobs to
review, select, and print.
Zero Trust network configuration
The Cloud Connector enables organizations to leverage the latest in security technologies and strategies. Specifically, the
solution supports Zero Trust networks (also called “internet-only” networks), in which all devices are connected directly to
the cloud with none of the east-west (peer-to-peer) communications that define a conventional corporate network.
This is the next-generation network topology used by several large global businesses and in time will become the new
security standard employed by organizations. Zero Trust defends against modern cyberthreats by moving beyond
perimeter security. It eliminates the threat of lateral movement within a network, also known as east-west communication.
The point of infiltration for an attack, such as a printer, is often not the target location. Preventing lateral movement is
critical to protecting the rest of your network.
In other words, there is no communication between the employee workstation and the printer, so there is no channel
through which devices can connect. There is no trust or line-of-sight between peers, which reduces many security risks
inside the company network.
HP Secure Print
Cloud release
(true pull print)
Workstation
Print Scout
Cloud-aware
HP printer
Scout release
(push print)
Technical white paper | HP Secure Print
7
Figure 6: The Zero Trust network configuration
The trend toward Zero Trust networks
Companies are increasingly implementing Zero Trust for many reasons. The technologies that support Zero Trust are
becoming mainstream amidst growing pressure to protect enterprise systems from increasingly sophisticated attacks. For
example, Google's BeyondCorp was one of the first published implementations of a Zero Trust network by a well-known
technology enterprise.
The conventional security model (Castle and Moat) entails the outdated assumption that everything on the inside of an
organization’s network can be trusted. It’s no longer a safe assumption that a firewall will protect a network or its data. The
moat (firewall) is a deterrent, not a fail-safe. It may be difficult to obtain access from outside the network, but everyone and
everything inside the network is trusted by default, which is no longer considered the most secure network model. Once an
attacker gains access to the network, they have free rein over everything inside.
The most damaging data breaches happened because hackers were able to move through internal systems without much
resistance once they got past the corporate firewalls. Because traditional security models are designed to protect the
perimeter, threats that get inside the network are left invisible, uninspected, and free to morph and move wherever they
choose to extract valuable business data. Zero Trust defends against these cyberthreats by eliminating the possibility of
lateral (east-west) communication within a network.
For those companies looking to transition to this network security model, HP Secure Print enables a safe and convenient
printing experience within a Zero Trust network.
Micro-segmentation
An important concept of Zero Trust is micro-segmentation, the practice of breaking up security perimeters into small zones
to maintain separate access for various parts of the network. HP Secure Print implements this segmentation principle.
Printers and MFPs can be moved outside the corporate perimeter (externalization) without disrupting employee printing.
The workstation and the printer communicate in a north-south direction with an explicit trusted secure end point within the
HP Secure Print Cloud (AWS). Employee printing with HP Secure Print does not require implicit trust between the
workstation and the printer. It’s not constrained to inside the corporate perimeter and it does not require communication
over known insecure protocols and ports that bad actors commonly prey on.
And as such, if a workstation is compromised, the printer is not exposed. The same applies in the other direction. If the
printer is compromised, the workstation is not exposed because there is no peer-to-peer print path (lateral movement).
Print Scout
The Print Scout is lightweight client software that is deployed to employee workstations to enable secure printing and
capture printing data. More specifically, the Print Scout:
Provides a simple setup wizard for each user to register with HP Secure Print and begin to print securely
Submits, holds, and releases print jobs
HP Secure Print
(true pull print)
Workstation
Print Scout
Cloud-aware
HP printer
Technical white paper | HP Secure Print
8
Collects user printing data for reporting purposes, including:
User information from Active Directory (if AD is relevant)
Information from the printer that releases the print job (via SNMP)
Print job data via print stream analysis (print job name, number of pages, application from which the job was
submitted, file format of the print job, and other metadata)
As a system administrator, you can control what data is collected and who can see it. You can configure the Print Scout’s
collection settings to disable or obfuscate the collection of certain types of data. You can also apply role-based viewing
restrictions, giving some system users a limited view of the data. For example, you can enable or disable the collection of
the user’s name, department, region, building, the document name, and many other user-specific records. Print Scout data
collection is covered in the HP Insights technical white paper
.
Cloud Connector deployment topology
The following illustration depicts the cloud deployment model, service responsibilities, and document submission and
release workflows when using the Cloud Connector.
Figure 7: The Cloud Connector deployment topology
This deployment topology leverages AWS best practices to provide security, scalability, and high availability. This includes
using security groups to separate web, app, and data tiers, ELBs for load balancing and scalability, and ECS and EKS clusters
for hosting microservice containers.
Service descriptions
Print Scout API Service: Provides the API to Print Scouts deployed on workstations, which allows them to retrieve
configuration, report their health, auto-update, and submit documents from print queues.
Secured IPP Service: Provides a secure IPP implementation which exposes the IPP v2/IPP-Everywhere API to connected
clients such as Linux, Windows, and Mac workstations, in addition to iOS and Android mobile devices. Print documents are
submitted from these clients directly to this service in the cloud.
MFP Control Service: Provides control functionality to the applications running directly on MFPs, such as offloading card
swipe events, proxying document listing, and reporting copy, fax, and scan transactions. This service will also assist in
deploying applications to run on the MFPs.
Print job delivery
IPP-Everywhere
MFP pulls job list and
prints
documents on
request
SSO provider
Route 53
Print services
Auto scaling
ECS instances
Docker container
services
DynamoDB
S3
RDS
Secure job
documents
Secure job
metadata
User identity
cache
Card registry
Technical white paper | HP Secure Print
9
MFP Data Service: Acts as a bridge between the MFP Control Service and applications running on the MFPs, to the containers
directly responsible for managing user documents.
Identity Service: An implementation of the Microsoft Identity Service model, an OAuth 2 based identity management service.
It registers and authenticates users, mobile apps, and access cards, and it manages related access tokens.
Secure Job Storer: This microservice container is responsible for the storage and retrieval of print documents in the cloud.
Amazon Simple Storage Service (S3) file storage is used as the backing store for documents, which are encrypted at rest.
Secure Job Indexer: This microservice container is responsible for maintaining the document metadata, serving up the list of
user documents and functions such as document expiry. The service is backed by AWS DynamoDB storage.
Secure Job Releaser: This microservice container is responsible for orchestrating the release of print documents to MFPs,
maintaining the state of document releases in progress, and providing notifications on the release process to interested
parties. The service is backed by AWS DynamoDB storage.
Local Connector option
The HP Secure Print system also supports traditional networks with local services. In this configuration, employees print
from their workstations as they normally do. The print job is encrypted and stored on the user’s workstation and optionally
in the cloud. Employees then walk up to any secured printer on the network. After successful authentication, their
documents are released (pulled).
The Local Connector option:
Allows you to select Active Directory for authentication. (Active Directory is not required to use HP Secure Print; however,
if your organization requires AD then you must use the Local Connector.)
Adds multivendor support for the integrated panel experience.
Figure 8: The HP Secure Print workflow for conventional networks with local job storage
Supported devices
When used with the Local Connector option, HP Secure Print works with practically any printer or MFP that you may have in
your organization. Support for the user authentication option that involves the printer’s control panel will depend on the
device in use. You can find a list of devices that support the integrated printer workflow at hp.com/go/jetadvantage
. All
others can be secured via hardware or mobile app release via QR code.
Network configuration
To deploy HP Secure Print using the Local Connector option in your network, you need to install these components:
Print Scout (installed on employee workstations). For more information, see page 7.
Device Scout
HP Secure Print
Workstation
Print Scout
HP printer
Scout release
(push print)
Technical white paper | HP Secure Print
10
Device Scout
The Local Connector configuration requires an on-premises Device Scout to remotely secure the devices in your
environment. In addition to securing your network printers, the Device Scout also collects device data and uploads it to your
HP Secure Print account. The Device Scout is the server software referred to as the “Local Connector” herein. The Device
Scout is not required in Zero Trust network configurations.
Collecting device data
The Device Scout locates all printers within your network and collects data on device status, meters, and consumables for
display in HP Insights. The Device Scout collects information from network devices that report themselves via SNMP as
output devices:
IP address
Device description
Maintenance kit levels
Device serial number
Non-toner supply levels
Meter reads
Asset number
Monochrome or color identification
Location
Display reading
MAC address
Device status
Manufacturer
Model number
Error codes
Toner levels
Firmware version/patch level
Technical white paper | HP Secure Print
11
Deployment architecture
The graphic below shows the architecture of the solution using the Local Connector option for conventional networks that
do not enforce Zero Trust principles.
Figure 9: Deployment architecture (Local Connector)
3,4
The Print Scout registers itself via an HTTPS (TLS) connection to HP Secure Print. The Print Scout maintains a secure
connection to the cloud service to enable print job submission and release.
The Device Scout registers itself via an HTTPS (TLS) connection to HP Secure Print. The Device Scout maintains a secure
connection to the service to enable device configuration and to secure printers.
The Device Scout communicates with the local Active Directory server using LDAP (TLS) to authenticate user credentials.
The secure printer communicates via an HTTPS (TLS) connection to HP Secure Print to release documents.
The Print Scout delivers documents to the printer via an IPPS (TLS) connection. If the printer is not enabled for IPPS, the
solution will fall back to using IPP. If IPP is also not supported, the solution will fall back to the RAW protocol. Neither IPP
nor RAW are encrypted. To ensure that encryption is used to deliver documents, enable IPPS printing on your printers.
HP Secure Print
platform (AWS)
HP Secure Print Cloud API firewall
Company firewall
TLS* websockets connection
initiated by the Print Scout on
Port 443
Print Scout
(workstation)
Print job release TLS* Port
443, Port 631, Port 9100
(if supported by the
secured printer)
Print job release queue
TLS* Port 443
TLS* websockets connection
initiated by the Device Scout
on Port 443
Device Scout
Secured printer
Active Directory
iMFP app services
TLS* Port 4321
Secure/unsecure printer
TLS* Port 443, 7627
Device discovery
SNMP UDP 161
Technical white paper | HP Secure Print
12
QR Code option
HP Secure Print can be configured to enable secure print submission and release using a mobile device. This option provides
the following benefits:
Companies can provide mobile release as an authentication option for releasing secure print jobs. This convenient
workflow simply requires users to scan a QR code, then all documents print.
Companies can enable secure print on a non-secured printer. No printer configuration is required.
Organizations can enable secure print on non-HP printers and HP printers not supported by HP Secure Print. Any
PCL6-compliant network printer can be enabled for mobile release.
Network configuration
To deploy HP Secure Print using the QR Code option in your network, you need to install these components:
Print Scout (installed on employee workstations). For more information, see page 7.
Device Scout. For more information, see page 10.
HP Secure Print mobile app.
HP Secure Print mobile app
The HP Secure Print mobile app enables employees to release the documents parked in their secure queue by quickly
scanning a QR code affixed to a printer on your network. To submit or release print jobs, employees must first download the
HP Secure Print mobile app from the App Store (iOS) or Google Play
TM
store (Android). Submitting documents from the app
requires cloud storage of the print job.
Deployment architecture
The graphic below shows the architecture of the solution, including document submission and release workflows, when
using the QR Code option.
Figure 10: Deployment architecture (QR code)
The Print Scout registers itself via an HTTPS (TLS) connection to HP Secure Print. The Print Scout maintains a secure
connection to the cloud service to enable print job submission and release.
HP Secure Print
platform (AWS)
HP Secure Print Cloud API firewall
Company firewall
HP Secure Print mobile app
Print Scout
Network printer
Technical white paper | HP Secure Print
13
The Secure Print mobile app registers itself via an HTTPS (TLS) connection to HP Secure Print. The Secure Print mobile app
establishes a secure connection to the cloud service to release documents when a network printer QR code is scanned with
the mobile app using the phone’s camera.
Configuration
Configuring QR Code release is a simple two-step process:
1. Secure your printers: The system enables the administrator to quickly create QR code labels for each printer. A
standard label template makes it easy to print these QR code labels and affix them to each printer. Each code contains
a unique GUID that identifies the device for secure print release.
2. Activate mobile devices: The Setup Guide (a click-through wizard) leads the user through the activation process. During
this process, the user is directed to download the HP Secure Print app on their mobile device. The Setup Guide
generates a one-time QR code; the user then activates their app by scanning this onscreen code. This binds the user to
their mobile device to enable secure print release.
Secure print workflow
How a document is submitted and released depends on whether print jobs are stored in the cloud or locally.
Document storage
Cloud storage
When print jobs are stored in the cloud:
In the case of an IPP-Everywhere submission, the document is sent directly to the Secured IPP Service in the cloud. This
service interacts with both the Secure Job Indexer and Secure Job Storer services to “park” the document for later release
and store its metadata for analysis and reporting via HP Insights print analytics web dashboards.
For print jobs submitted via Windows queue, the workstation interacts with the Print Scout API Service to send the
document to the cloud, from which point the interaction is the same as those coming via the Secured IPP Service.
Local storage
With the local storage option, print jobs are parked on the user workstation. After the user successfully authenticates at the
device, pressing
Print or Print All instructs the MFP to communicate with HP Secure Print to release the documents, which
are then pushed from the workstation to the printer via the Print Scout.
When enabled in the Local Connector configuration, an encrypted copy of the print job is stored in the cloud. This allows jobs
to be released even when the submitting workstation (Print Scout) is unavailable. When the submitting workstation is not
available (in sleep mode, offline, etc.) the job may be routed through any available Print Scout on the network. Therefore, an
active Print Scout must always be available in the system.
Document submission
Print Scout submission
To submit a document to print, users select the Print command in whatever application they are using. On Windows or Mac
workstations, this opens a standard Print dialog box that shows the HP Secure Print queue selected by default.
The user is redirected to complete the Print Scout user registration (if the user has not already completed the process).
Upon successful user registration, the print submission will proceed, either via IPP-Everywhere or Windows print queue.
Technical white paper | HP Secure Print
14
Mobile submission
With the optional HP Secure Print mobile app, employees can submit print jobs
from their mobile device. The app provides the means of installing a secure
printer profile that enables multivendor driverless printing using
IPP-Everywhere technology.
Users can print from any location or any external wireless network. The app
creates a connection between the user and the Secure Print system. It quickly
establishes the user identity and provides the profile required for printing.
Users submit print jobs using the native Print command and then choose the
HP Secure Printer queue, as shown at right.
Figure 11: Submitting a print job using the HP Secure Print mobile app
Document release
After print submission, the user may release (print) their documents at any enabled printer or MFP. Users are required to
authenticate before they can access their print queue (see the next page for more details). Upon successful user
authentication, the job list is displayed on the MFP control panel. As shown in the graphic below, the user is first presented
with a simple screen that provides a one-touch method to
Print All jobs in the user’s queue.
Figure 12: Upon successful authentication, the user is presented with Secure Print home screen
Technical white paper | HP Secure Print
15
Or the user can press Review Documents to view all job(s) in the queue. The job list displays the document name,
submission time, and page count. as shown below. Finally, the user can press
More Device Functions to access copy, scan,
or email functions.
Figure 13: The HP Secure Print documents screen
If Review Documents is selected, the user can select one or more documents in the list and then press Print. This action
(or the
Print All command shown in Figure 12) instructs the MFP to pull the document from the cloud or push it from the
workstation.
Upon successful print output, the MFP notifies the MFP Data Service which in turn tells the Secure Job Releaser to update
the release state and orchestrate the cleanup of the document metadata and contents.
Authentication options
HP Secure Print supports authentication at the printer by scanning a QR code with a mobile device, swiping an ID badge
(proximity card), or entering an email and PIN into the printer’s control panel. With the Local Connector configuration,
username and password is another authentication option when Active Directory is in use.
Mobile app
With the mobile authentication option, employees can use the HP Secure Print app on their mobile device (iOS and Android)
to scan a QR code affixed to any secured printer in the system, which immediately releases all print jobs in the user’s queue.
Each QR code contains a unique GUID that identifies the device for secure print release. No information about the device is
contained in the QR code.
Proximity card
With this configuration, employees use their access cards (proximity cards) to quickly authenticate at a chosen device to
release their print jobs. Proximity cards are hashed using a one-way, non-reversible hash before being sent to the cloud for
authentication. The identifying information on the proximity card is securely stored in the cloud as this one-way,
nonreversible hash.
Technical white paper | HP Secure Print
16
Device communication
When using the Local Connector configuration, the Device Scout generates 2048-bit RSA certificates that secure the channel
between the printer and the four services hosted on premises: authentication, authorization, accessories, and statistics. All
communications to these four services are sent over port 4321. If a port other than 4321 is required, a configuration file
must be changed post-install but pre-deployment, and the service must be restarted. Additionally, the deployment service
pushes a public certificate to the printer so that the printer can securely access HP Secure Print using TLS v1.2 over port
443.
When using the Cloud Connector configuration, communication is encrypted via TLS v1.2 over TCP port 443 using
certificates that have been signed by industry-trusted authorities.
Control panel (“keypad”) login
With this configuration, employees enter their username and password or email and PIN into the printer’s control panel to
quickly authenticate at the chosen device to release their print jobs.
Passcode
When OpenID is set as the authentication provider, employees can authenticate using their system-generated passcode
from the workstation Setup Guide. The passcodes are hashed using a one-way, non-reversible hash before being sent to
the cloud for authentication. The passcodes are securely stored in the cloud as this one-way, non-reversible hash.
Email and PIN
When email is set as the authentication provider, employees can authenticate using their email address and PIN from the
workstation Setup Guide. The email and PIN are hashed using a one-way, non-reversible hash before being sent to the cloud
for authentication. The email and PIN are securely stored in the cloud as this one-way, non-reversible hash.
Username and password
When Active Directory is set as the authentication provider, employees can authenticate using their AD credentials
(username and password). User credentials are kept within the companys network and are never sent to the cloud. The
authentication attempt is requested by the Local Connector to the companys Active Directory domain controller.
Device communication
As with proximity cards, when using the Local Connector configuration with control panel logins, the Device Scout generates
2048-bit RSA certificates that secure the channel between the printer and the four services hosted on premises:
authentication, authorization, accessories, and statistics. All communications to these four services are sent over port 4321.
If a port other than 4321 is required, a configuration file must be changed post-install but pre-deployment, and the service
must be restarted. Additionally, the deployment service pushes a public certificate to the printer so that the printer can
securely access HP Secure Print using TLS v1.2 over port 443.
When using the Cloud Connector configuration, communication is encrypted via TLS v1.2 over TCP port 443 using
certificates that have been signed by industry-trusted authorities.
Data protection
In today’s high-risk security climate, every organization must continually refine its security strategy to address evolving
threats. Your print environment should be part of your organization’s security strategy and a standard part of your
processes and procedures. Here, we describe various types of attacks that exist within a printing context, and how
HP Secure Print addresses these threats.
General malicious attack: Such an event could include an attempt to intercept data in transmission, denial of service, or
the attempted altering or disabling of established security measures such as logins or encrypted communication.
HP Secure Print encrypts all external connections using TLS at the highest level supported by the connecting browser or
service. All application components are isolated by function; only necessary traffic can pass between components.
Malicious attack of print data: Such an event could include an attempt by a third party to intercept company print data. To
prevent this, HP Secure Print employs one of two kinds of encryption, based on where the document is stored at rest.
Configurations in which the document is held at rest on the client side will use a Zero Knowledge Encryption scheme.
Documents stored in the cloud are protected by Amazon S3 KMS encryption.
Technical white paper | HP Secure Print
17
Machine or technological failure: Such an event could include power loss, network connectivity loss, or data storage
failure. HP Secure Print uses a cloud infrastructure with a minimum of three geographic zones. This cloud infrastructure
can detect a variety of fault conditions and remove or fix defective components with no interruption of service.
Passive data loss or corruption: Such losses could be caused by software defects, incompatibilities between software
components, or data storage loss. The HP Secure Print infrastructure mitigates these risks through a formal software
quality assurance methodology. In the event of a data corruption problem, the system maintains pre-state backups to
roll back any data-altering changes. The system also uses segregation of duties and least privilege principles to restrict
the level of access employees have, to include only that which is required to perform their job function. Access levels are
periodically reviewed and adjusted as business needs or job roles change.
Data control
The integrity of your data is critical. HP Secure Print uses both technological and procedural controls to restrict access to
data. The system gives you control over what data is collected and who can see it. No device or printing information can be
transmitted to the cloud service until scouts are installed and activated. At any time, you may stop a scout from collecting
information by uninstalling it.
Document encryption
The HP Secure Print system leverages the latest encryption standards to ensure that documents are secure. There are two
kinds of file encryption used in the system, based on the configuration in use. When a document is stored in the cloud, it is
encrypted at rest using AWS S3 KMS encryption. When it’s stored on the clients server, it leverages zero knowledge
encryption.
AWS S3 with KMS encryption
For documents stored in the cloud, HP Secure Print leverages Amazon Simple Storage Service (S3) with Key Management
Service (KMS) encryption. This provides access to the same highly scalable, reliable, fast, inexpensive data storage
infrastructure that Amazon uses to run its own global network of websites.
Print jobs are secured with S3 KMS encryption. The document is sent to the cloud protected in transit by HTTPS and then
encrypted at rest. The following links provide more information on Amazon S3 and KMS encryption:
docs.aws.amazon.com/AmazonS3/latest/dev/Welcome
docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption
Zero knowledge encryption
In addition to full encryption of transport, the system also employs zero knowledge encryption for documents at rest
whenever the document is stored on the client side (by the Print Scout) or in the cloud whenever push print is being used; in
other words, in the hybrid configuration that leverages local print job storage. The Print Scout sends print jobs directly to a
printer in the system, hence “push print.”
The cloud storage configurations of HP Secure Print do not use zero knowledge encryption because the printers and MFPs
pull the documents directly from the cloud themselves.
During installation, you are provided a system-generated site encryption password. The system does not retain a copy of
this password; you must securely backup the password to enable future scout installation and maintain the security of the
print data.
The site encryption password is used to generate a 256-bit AES key, using the derivation function PBKDF2 with 1,000
iterations. This key is used to encrypt documents before they leave your local network, and to decrypt them prior to print
release. In addition, a PKI 2048-bit RSA key pair is generated for communication security with both the private key and AES
key above being installed on the scouts in your local network.
When documents are released (printed), they are decrypted when they arrive back on your network. Therefore, even in the
unlikely event that an attacker breaches the cloud security measures in HP Secure Print, the attacker would be unable to
access any document data.
Technical white paper | HP Secure Print
18
Encryption details
Item
Encryption used
Encryption of data transport TLS version: 1.2
Document encryption AES 256-bit
MFP certificates 2048-bit RSA
User identity hashing
When the user taps a proximity card or enters an email and PIN, the values are hashed using a one-way, non-reversible
SHA-256 key and sent to the cloud for validation. The system looks at the hash value and authenticates the user
accordingly.
Security is a shared responsibility
As an HP Secure Print customer, you share the responsibility to protect your data. As your organization continually refines
its security strategy to address evolving threats, make certain that securing your print environment is a priority. Add these
security items to your standard processes to help you address the diverse and ever-evolving threats out there.
1. Ensure that all scouts are accessible to authorized users only.
2. Ensure that servers and/or workstations hosting scouts are fully patched and meet all other security requirements of
your organization.
Ensure that servers and/or workstations are regularly maintained according to the policies of your organization.
Ensure that the minimum necessary credentials are granted to individuals within your organization.
3. If the Print/Device Scout will be installed on a shared server, (i.e., a server that performs multiple functions or that will
be running software from another vendor), ensure that you have verified compatibility with technical support before
installing.
4. Ensure that all printers are fully patched and meet all other security requirements of your organization.
5. If using the HP Secure Print Mobile app, ensure that all mobile devices are fully patched and meet all other security
requirements of your organization.
Customer readiness
This section details the environmental requirements and recommendations necessary to successfully deploy HP Secure
Print. It also records the ports and protocols used in each network configuration.
Platform communication
Your email security software must be set to trust the following email address from HP Secure Print to help prevent your
organization from quarantining or blocking the message or sending the email communication to the Junk or Spam folder:
Insights <no-reply@insights.hpondemand.com>
Cloud API endpoints
HP Secure Print Cloud API endpoints process collected data and print jobs, push application updates and configuration
settings, and broker communication between systems components.
The software components, such as the Print Scout and cloud-aware HP printer, must be able to securely communicate to
the HP Secure Print Cloud API endpoints. If permitted by your organization, HP recommends whitelisting the domain
*.insights.hpondemand.com to ensure that communication with current and future cloud API endpoints is permitted. Below
is a list of cloud API endpoints if your organization requires the list of permitted URLs.
Technical white paper | HP Secure Print
19
EU instance
https://api-eu.insights.hpondemand.com
https://devicescout-eu.insights.hpondemand.com
https://eu.insights.hpondemand.com
https://login-eu.insights.hpondemand.com
https://mfp-api-eu.insights.hpondemand.com
https://printscout-eu.insights.hpondemand.com
US instance
https://api.insights.hpondemand.com
https://devicescout.insights.hpondemand.com
https://files.insights.hpondemand.com
https://login.insights.hpondemand.com
https://mfp-api.insights.hpondemand.com
https://printscout.insights.hpondemand.com
https://www.insights.hpondemand.com
Network ports and protocols
The following diagrams show the ports and protocols used in the various configuration and user authentication options.
Cloud Connector with cloud storage
The two graphics below show the basic structure and ports required to deploy HP Secure Print using the Cloud Connector
with the cloud storage option, first with a conventional network and then with a Zero Trust network.
Figure 14: Structure and ports required for deployment of the Cloud Connector with the cloud storage option, using a conventional network
HP Secure Print
https://*.insights.hpondemand.com
Cloud
Connector
Print Scout
(Cloud release)
HP integrated printer
Firewall
CLOUD
COMPANY
NETWORK
TCP 443
TCP 443
Technical white paper | HP Secure Print
20
Figure 15: Structure and ports required for deployment of the Cloud Connector with the cloud storage option, using a Zero Trust network
Cloud Connector with local storage
The graphic below shows the basic structure and ports required to deploy HP Secure Print using the Cloud Connector with
the local storage option.
Figure 16: Structure and ports required for deployment of the Cloud Connector with the local storage option
INTERNET
ONLY
(Zero Trust network)
HP Secure Print
https://*.insights.hpondemand.com
Cloud
Connector
Print Scout
(Cloud release)
HP integrated printer
Firewall
CLOUD
TCP 443
TCP 443
HP Secure Print
https://*.insights.hpondemand.com
Cloud
Connector
Print Scout
(Scout release)
HP integrated printer
Firewall
CLOUD
COMPANY
NETWORK
TCP 443, 631, 9100
UDP 161
TCP 443
TCP 443
Technical white paper | HP Secure Print
21
Local Connector
The graphic below shows the basic structure and ports required to deploy HP Secure Print using the Local Connector.
Figure 17: Structure and ports required for deployment of Local Connector
Mobile release
The graphic below shows the basic structure and ports required to deploy HP Secure Print using mobile release.
Figure 18: Structure and ports required for deployment using mobile release
Print Scout
HP integrated printer
Firewall
CLOUD
COMPANY
NETWORK
TCP 443, 631, 9100
UDP 161
TCP 443
TCP 443, 7627
UDP 161
TCP 4321
Device Scout
Local
Connector
HP Secure Print
https://*.insights.hpondemand.com
TCP 443
TCP 443
HP Secure Print
mobile app
Print Scout
TCP 443
Network printer
Firewall
CLOUD
COMPANY
NETWORK
TCP 443, 631, 9100
UDP 161
HP Secure Print
https://*.insights.hpondemand.com
TCP 443
Technical white paper | HP Secure Print
22
Deployment requirements
Print Scout
The Print Scout is lightweight client software that is deployed to employee workstations to enable secure printing and
capture printing data. The Print Scout encrypts and stores secure print jobs, uploads a copy to the cloud (when cloud
storage is enabled), and decrypts and delivers secure print jobs to network printers (when local storage is enabled).
Requirements
1. Supported operating systems:
Windows: 8, 8.1, and 10
macOS: 10.14, 10.15, and 11
Ubuntu: 18.04 and 20.04 (when OpenID is enabled)
Red Hat 8
Windows Server®: 2012, 2012 R2, 2016, and 2019 (optional, for Local Connector option to release a secure print job
from the cloud)
2. For Windows systems, Microsoft .NET Framework 4.6.1 (or newer) must be installed.
3. The Print Scout must be installed on print user workstations to (1) submit, store, manage, and release a secure print
job and (2) enable the Secure Print mobile app.
4. The Print Scout must be able to communicate with network printers to (1) collect device data and (2) release a secure
print job when local storage is enabled.
5. The Print Scout must be able to communicate with the cloud APIs to (1) upload collected print job, device data, and
print user information, (2) upload encrypted secure print job, and (3) download application updates and configuration
settings.
6. The Web proxy server configuration (server, port, user credentials) is known, if required to access the Internet (cloud).
7. For Windows systems, end point protection (antivirus) software must trust the Print Scout executable (.exe) files and
dynamic link library (.dll) files within this directory path and all its subfolders:
C:\Program Files (x86)\HP\PrintScout
8. End point protection (antivirus) software must trust the Windows services for the Print Scout:
HP Print Scout Service
HP Print Scout Spooler Service
9. When using OpenID Connect (OIDC) to authenticate, the Print Scout must be able to communicate with the OIDC identity
provider to authenticate the print user.
10. When using the Local Connector configuration and Active Directory is the authentication provider, the Print Scout must
be joined (1) to an on-premises Microsoft Active Directory domain and (2) to the same domain as the Device Scout.
11. When using email and PIN for authentication, the print user must be able to verify that the email address is valid.
12. The following network ports must be open:
Outbound (Print Scout connecting to the cloud API endpoint):
443 TCP (TLS v1.2)
Outbound (Print Scout connecting to the network printer):
161 UDP (SNMP v1/v2 or SNMP v3)
631 TCP (IPP)
443 TCP (IPPS)
9100 TCP (RAW)
Technical white paper | HP Secure Print
23
Device Scout
The Device Scout remotely secures the network devices in your environment, authenticates users to Active Directory, and
collects device data and uploads it to your HP Secure Print account. The Device Scout is not required when using the Cloud
Connector configuration.
Requirements
1. Supported operating systems:
Windows Server: 2012, 2012 R2, 2016, and 2019
Windows: 8, 8.1, and 10 (Workstation is intended for hosting the Device Scout in a non-production environment)
2. Microsoft .NET Framework 4.6.1 (or newer) must be installed.
3. The Device Scout must be able to communicate with the cloud APIs to (1) upload collected device data and
(2) download application updates and configuration settings.
4. The Web proxy server configuration (server, port, user credentials) is known, if required to access the internet (cloud).
5. For Windows systems, end point protection (antivirus) software must trust the Device Scout and Local Connector
executable (.exe) files and dynamic link library (.dll) files within this directory path and all its subfolders:
C:\Program Files (x86)\HP\DeviceScout
C:\Program Files (x86)\HP\HP Secure Print Service
6. End point protection (antivirus) software must trust the Windows services for the Device Scout and Local Connector:
HP Device Scout Service
HP Secure Print Service
7. The Device Scout must be able to communicate with network printers to collect device data.
8. When using the Local Connector configuration, the Device Scout must be able to communicate with network printers to
(1) secure integrated printers and (2) authenticate users. If Active Directory is the authentication provider, the Device
Scout must be (1) joined to an on-premises Microsoft Active Directory domain and (2) joined to the same domain as
Print Scouts (print user workstations).
9. The following network ports must be open:
Outbound (Device Scout connecting to the cloud API endpoint):
443 TCP (TLS v1.2)
Outbound (Device Scout connecting to the network printer):
161 UDP (SNMP v1/v2 or SNMP v3)
443 TCP (TLSv1.2)
7627 TCP (TLSv1.2)
Inbound (Network printer connecting to the Device Scout):
4321 TCP (TLSv1.2)
Integrating HP printers (when using the Cloud Connector or Local Connector)
HP printers can be integrated into the Secure Print system for user authentication via proximity card or keyboard control
panel login. Upon successful login, the user may choose to print all documents in the queue, review and select documents
to print, or access other device functions such as copy, scan to email, and fax. Integrated printers track all secure print, copy,
scan to email, and fax activity.
Requirements:
1. The printer must be a supported model as certified by HP.
2. The printer readiness requirements must have been completed:
Firmware must be version 4.8 or later.
Local administrator password must be known.
DNS settings must resolve the (1) HP cloud API endpoints and (2) Device Scout server (when using the Local
Connector).
Date and time settings must be accurate to allow TLS secure communication.
Web proxy settings must be configured if required to access the public internet.
Technical white paper | HP Secure Print
24
Cross-Origin Resource Sharing (CORS) must be enabled.
If trusted sites are enabled in CORS, the trusted sites list must include *.insights.hpondemand.com (when using the
Cloud Connector) and the Device Scout server (when using the Local Connector).
Color print must be enabled to provide color printing capability for non-domain, macOS, Linux, iOS and Android
users.
Sleep after inactivity may be turned off and sleep schedule may be enabled to improve proximity card reader
performance during business hours.
3. The HP printer must be able to communicate with the cloud API endpoints to print or delete print jobs. When using the
Cloud Connector configuration, cloud API endpoints also launch the Secure Print app, authenticate users, and enable
display of the user’s print job list.
4. When using the Local Connector configuration, the HP printer must be able to access the Device Scout fully qualified
domain name (FQDN) to launch the Secure Print app, authenticate users, and display the user’s print job list.
5. The Web proxy server configuration (server, port, user credentials) must be known if required to access the internet
(cloud).
6. The following network ports must be open:
Outbound (HP printer connecting to the cloud API endpoint):
443 TCP (TLS v1.2)
Outbound (HP printer connecting to the Device Scout, in Local Connector configurations)
4321 TCP (TLSv1.2)
Inbound (Deployment tool (for Cloud Connector option) or Device Scout (for Local Connector option) connecting to
the HP printer):
443 TCP (TLS v1.2)
7627 TCP (TLS v1.2)
For additional instructions on printer prerequisites to deploy HP Secure Print, please see the “
HP Secure Print: HP Integrated
Printer Readiness” white paper.
Network printers (when using QR Code configuration)
When using the QR Code configuration, HP Secure Print can enable any PCL6-compliant network printer for mobile release.
Requirements:
1. SNMP v1/v2 and/or SNMP v3 must be enabled
SNMP v1/v2: Read access must be enabled and the Get Community Name string must be known
SNMP v3: Username, Authentication Protocol and Passphrase, Privacy Protocol and Passphrase, and Context Name
must be known
Passphrase: 8 to 255 characters
Authentication Protocol: MD5 or SHA1
Privacy Protocol: DES or AES-128
2. HP Secure Print QR code label has been printed and attached to the corresponding printer (mobile app print release)
3. The following network ports must be open:
Inbound (Device Scout connecting to the network printer)
161 UDP (SNMP v1/v2 or SNMP v3)
Inbound (Print Scout connecting to the network printer)
161 UDP (SNMP v1/v2 or SNMP v3)
631 TCP (IPP)
443 TCP (IPPS)
9100 TCP (RAW)
Technical white paper | HP Secure Print
25
HP Secure Print mobile app
The HP Secure Print mobile app releases documents by scanning the network printer’s QR code.
Requirements:
1. Supported operating systems:
Android 7, 8, 9, and 10
iOS 11, 12, and 13
2. HP Secure Print mobile app is free and must be downloaded using a supported mobile device from the (1) Google Play
Store or (2) Apple App Store.
3. The HP Secure Print mobile app must be able to communicate with the cloud API endpoints to release a user’s print
jobs.
4. The following network ports must be open:
Outbound (Secure Print mobile app connecting to the cloud API endpoint):
443 TCP (TLS v1.2)
Deployment tool
This Command line utility is used to secure or unsecure an HP integrated printer via the Cloud Connector. For the
Deployment tool to work, the following network ports must be open:
Outbound (Deployment tool connecting to the cloud API endpoint):
443 TCP (TLS v1.2)
Outbound (Deployment tool connecting to the HP integrated printer):
443 TCP (TLS v1.2)
7627 TCP (TLSv1.2)
Network utilization
Print Scout
The Print Scout securely uploads print job information as it happens. Unlike the Device Scout, the Print Scout does not
perform network-wide device discovery.
Print Scout network traffic
Task type
Frequency
Network traffic
Status 1 x 24 hours 2 KB
AD lookups Once per day, per user Depends on size of average AD record
Cloud connection keep-alive Every minute < 0.1 KB
Print job metadata uploads On print submission 3 KB
Print job content uploads On print submission
Variable based on the size and
complexity of the print job (off by
default and conditional on customer
setting choices)
Incoming release requests and
notifications
On print release < 1 KB
Technical white paper | HP Secure Print
26
Task type
Frequency
Network traffic
Incoming job contents On print release
Variable based on the size and
complexity of the print job (used only
when a user’s workstation is offline,
and cloud holds a copy of their job
contents)
Job delivery to printer On print release
Variable based on the size and
complexity of the job
Device SNMP lookup On print release 2.5 KB
Print Scout communication patterns
Print Scout status checks: Each Print Scout checks in once per day to upload its health report and check for new settings.
This check is under 2 KB and will usually return an empty response if there have been no configuration changes. The Print
Scout will also check for configuration changes when a print job is submitted.
Active Directory lookups: When an employee submits a print job, the Print Scout will look up Active Directory information
about that user. The AD lookup will occur only once per day. AD traffic is difficult to estimate because the amount of data
stored in AD is highly variable from one organization to the next. However, the maximum traffic equates to the total
number of unique AD users multiplied by the average AD record size.
Cloud connection: The communication channel between Print Scouts and the cloud is kept alive by means of a
server-initiated ping. This request occurs approximately once per minute and consists of a small packet of bytes.
Print job metadata uploads: Data describing each print job is sent to the cloud service. This data is variable because of the
strings involved (document name), but a fair approximation is 1 KB per print job.
Print job content uploads: The contents of the print job can be optionally uploaded to the server when configured to do
so. This copy is used as a backup in case the user’s workstation is unavailable at the time they choose to release their job
at a printer. The size of this content is based on the size and complexity of the source document, but it is compressed
prior to transfer. Typical one-page text documents are less than 100 KB.
Incoming release requests and notifications: The server will issue requests to Print Scouts when a user selects their jobs
to release at a printer. Notifications on the success or failure of the request are sent from the Print Scout back to the
server. These requests and notifications comprise a small amount of text data, less than 1 KB in size.
Incoming print job content: When necessary, and if configured to do so, a copy of the user’s job contents may be delivered
from the cloud service to the Print Scout. This can happen when the user’s workstation becomes unavailable (goes into
sleep mode, goes offline, etc.). In such an event, the server will select another Print Scout to perform the print release.
Job delivery to printer: The user’s job contents are ultimately delivered from a Print Scout to their chosen printer. The
data at this point is uncompressed but would equal the amount that would be delivered to a printer if the user were direct
printing from Windows, without the Print Scout.
Automatic scout updates: From time to time, a new version of the Print Scout will be released, with updated functionality
and any bug fixes. The scout will check for new versions of itself whenever it checks for new configuration information. If
a new version is available, the scout will automatically download and install the new version silently.
Device Scout
HP Secure Print requires access to your local area network to operate effectively. The Device Scout will generate local
network traffic when performing these operations:
Scanning configured network ranges for printing devices
Collecting meter data from discovered devices
Collecting service alerts from discovered devices
Configuring integrated printers
Logging into a secure device
The Device Scout uses SNMP to communicate with local network devices and supports SNMPv1/v2 and/or SNMP v3. In some
cases, the Device Scout will also try to connect to a device using HTTP port 80, if the device is a known model that cannot
report serial number or meter reads via SNMP.
Technical white paper | HP Secure Print
27
The Device Scout will generate internet traffic when performing these operations:
Registration
Polling the Device Scout control server for new configuration or instructions
Uploading discovered device data
Uploading device meter data
Uploading Device Scout health check information
Configuring integrated printers
Logging into a secure device
Interacting with a secure device (user activity)
The Device Scout uses secure HTTPS communication when connecting to HP Secure Print. Additionally, all end-user access
to the application is encrypted using TLS. Unencrypted SNMP traffic is restricted to the local subnets that the Device Scout is
configured to monitor.
Device Scout network traffic
Here are the average payload sizes for the various Device Scout operations:
Task type
Device type
Network traffic
(in bytes)
Discovery
Device
15.8
KB
Usage
Non
-device
0.1
KB
Status
Device
16.6
KB
Integration
Device
2.0
KB
Printing a document from a secure device
Secure
device
<100
KB
Excluding IP ranges
Non-printing SNMP-configured devices respond with a 126-byte payload, which tells the Device Scout that the device is not
a printing device. While not harmful, this overhead may add up over large IP ranges. Therefore, we recommend using
Exclude Rangesin the Device Scout configuration to skip over any IP ranges that are not likely to contain output devices.
Device Scout communication patterns
Registering a Device Scout: Customers create and configure a Device Scout record in the web application. To download
the installation package, you must enter the site encryption key. A unique installation package per Device Scout record is
created. During the installation of this package, the Device Scout will open a secure connection to HP Secure Print and
identify itself using the registration information contained in the package. Once a package has been installed and
registered, it cannot be used again.
Polling the scout control server: Upon initial registration, and periodically during normal operation, the Device Scout will
poll the control server for updates to its configuration state. Updates might include new IP ranges to scan, a new version
to download, or a new schedule for discovering or reading devices.
Uploading discovered device data: The Device Scout will upload discovered devices once per period, configured within the
application. Discovery scans can be configured daily or weekly. More frequent uploads will result in more network traffic,
but newly discovered devices will be displayed in the application more quickly.
Uploading device meter data: The Device Scout will upload meter reads to the scout control server on a scheduled basis.
Usage (meter) data can only be scheduled for a daily scan and upload. You configure this setting within the application.
Uploading toner data: Toner information will be collected along with meter data by default. Alternately, you can configure
it to be collected as frequently as 15-minute intervals.
Uploading scout health check information: The Device Scout Monitor runs as a scheduled Windows task to check the
health of the Device Scout and its ability to communicate. It tracks the successful completion of scout activities such as
discoveries, status collections, and configuration updates. It uploads this information on a configured basis, once per day.
Cloud connection: The communication channel between the Device Scout and the cloud is kept alive by means of a
server-initiated ping. This request occurs approximately once per minute and consists of a small packet of bytes.
Technical white paper | HP Secure Print
28
Logging into a secure printer via username/password entry: The Device Scout controls the configuration settings on
integrated printers. When a user logs into a secure printer via username/password entry, the solution will attempt to
authenticate locally with Active Directory. The printer then retrieves and decrypts a document list from the cloud.
Documents are then delivered to the device by a Print Scout.
SNMP device discovery: The Device Scout performs SNMP scans to discover new printing devices on a configured network
segment. Some network monitoring tools may treat SNMP scans as sources of network congestion. We recommend
registering the Device Scout with your network security office so that they know to expect this network traffic.
You can configure the Device Scout to exclude certain subnets or IP addresses, restrict its scans to certain times of the
day, and reduce network utilization to a specific level.
Scout configuration data: The Device Scout retrieves its configuration data by initiating an outgoing secure HTTPS
connection to the scout control server. When the configuration has been received, the Device Scout terminates the
connection and operates without any outgoing connections until the next scheduled configuration check.
Automatic scout updates: From time to time, a new version of the Device Scout will be released with updated
functionality and any bug fixes. By default, the Device Scout will check for new versions of itself daily. If a new version is
available, the scout will automatically download and install the new version. Based on your organization’s preferences,
you can easily control this setting; you can set it to Notify, Off, or Automatic (the default).
Internet traffic
The following table provides details and guidance on the internet traffic required by HP Secure Print. The number of
documents per user per month is intended as an example only. Data consumption can be tailored depending on whether
cloud-based document storage is required.
Monthly internet traffic per user
Cloud storage?
Scenario
No
Yes
Number of secure documents
5
5/day
5/day
Average document size
6
0.5 MB
0.5 MB
Cloud document storage
No
Yes
Print document information
Transmission per document
Document metadata 0.002 MB
0.002 MB
Document contents
7
0.000 MB
0.550 MB
Job metadata for reporting 0.003 MB
0.003 MB
Transmission per document
total 0.005 MB
0.555 MB
Documents
per user (example only) x 152/month
x
152/month
Data transmitted per month
0.760 MB
84.406 MB
Workstation connection
Keep
-alive packet per minute 0.0001 MB
0.0001 MB
Connection data per month
3.241 MB
3.241 MB
Technical white paper | HP Secure Print
29
Other data transmission
Print Scout daily status, AD lookups
0.004 MB
0.004 MB
Device Scout daily device meters
0.005 MB
0.005 MB
Other data transmission daily total
0.009 MB
0.009 MB
Other data transmission per month
0.274 MB
0.274 MB
Total Internet bandwidth (per user, per month)
4.28 MB
87.92 MB
Examples
Scenario 1:
Organization with 500 users storing documents in the cloud
Traffic per user: 87.92 MB per month
Total traffic: 500 x 87.92 MB = 43.96 GB per month
Scenario 2:
Organization with 1,000 users not storing documents in the cloud
Traffic per user: 4.28 MB per month
Total traffic: 1,000 x 4.28 MB = 4.28 GB per month
Technical white paper | HP Secure Print
© Copyright 2016, 2020-2021 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing he
rein should be construed as
constit
uting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Android
, Google, and Google Play are registered trademarks of Google Inc. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Microsoft,
Windows, and Windows Server are U.S. registered trademarks of the Microsoft group of companies.
4AA6-8661ENW, June 2021, Rev. 2
Learn more
hp.com/go/secureprint
1
HP Secure Print works with most network-connected printers and MFPs. On-device authentication requires HP FutureSmart firmware 4.8 or newer. Supported card
readers include X3D03A (HP USB Universal Card Reader) and Y7C05A (HP HIP2 Keystroke Reader). Internet connection required for some functionality. For more
information, see hp.com/go/secureprint.
2
“Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019,https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-
forecasts-worldwide-public-cloud-revenue-to-g.
3
If secure Internet Printing Protocol (IPPS) is not enabled on the printer, the RAW delivery protocol is used.
4
Standard TLS negotiation is used to support TLSv1, TLSv1.1, TLSv1.2.
5
The guidance on traffic volume is based on assumptions of an average of 5 secure documents printed per day, per user.
6
Document size can vary based on the nature of the documents printed. Calculations are based on an average document size of 500 KB.
7
For cloud document storage, the solution will first attempt to retrieve the document from the user’s workstation. We assume that 10% of the time, the user’s
workstation may not be available (e.g., in sleep mode or offline). In this case, documents are retrieved from the cloud.